A threat group linked to China has exploited vulnerabilities in Connectwise ScreenConnect and F5 BIG-IP software, deploying customized malware capable of installing additional backdoors on compromised Linux systems. This aggressive campaign is under surveillance by Mandiant, a Google subsidiary, which refers to the activity by the identifier UNC5174, also known as Uteus. Mandiant describes UNC5174 as having transitioned from a participant in Chinese hacktivist movements to acting as a contractor for China’s Ministry of State Security (MSS), specifically focused on facilitating access operations.
The attack targets a range of entities, including research and educational institutions in Southeast Asia and the U.S., alongside businesses, charities, NGOs, and government organizations in both Hong Kong and the U.S. This activity has been noted during specific timeframes, with significant attacks occurring from October to November 2023 and resurging in February 2024, leveraging flaws discovered in the ScreenConnect application.
Access to the compromise was attained through the exploitation of known vulnerabilities, including those associated with Atlassian Confluence and Linux Kernel, alongside the previously mentioned ConnectWise and F5 BIG-IP systems. Once a foothold is established, the group conducts extensive reconnaissance to identify and exploit security weaknesses in internet-facing systems. UNC5174 has been known to create administrative accounts to gain elevated privileges, allowing them to deploy a C-based ELF downloader termed SNOWLIGHT.
SNOWLIGHT’s primary function is to fetch a subsequent payload, an obfuscated Golang-based backdoor called GOREVERSE, from a remote server. This backdoor connects to an open-source command-and-control (C2) framework known as SUPERSHELL, enabling attackers to create reverse SSH tunnels and initiate interactive shell sessions for executing arbitrary commands.
The threat group also utilizes a Golang tunneling tool named GOHEAVY, likely to support lateral movement within compromised environments. In addition, they employ various tools, including afrog, DirBuster, Metasploit, Sliver, and sqlmap, enhancing their capabilities for maintaining persistence and executing comprehensive attacks.
In an atypical observation from the intelligence community, threat actors were detected implementing mitigations against CVE-2023-46747, seemingly to block other adversaries from exploiting this vulnerability for unauthorized access. Mandiant’s analysis reveals UNC5174’s previous ties to Chinese hacktivist groups, such as ‘Dawn Calvary,’ and notes their shift toward access operations, ostensibly backed by the MSS.
There is a notable indication that UNC5174 has acted as an initial access broker, capitalizing on the cyber capabilities shared by groups like UNC302, which also targeted U.S. and U.K. government agencies. This alignment raises the possibility of overlapping tactics and exploit utilization among various Chinese state-sponsored actors, as observed in the ongoing cyber threats.
The assessment highlights the ongoing development of cyber strategies by Chinese state-affiliated entities, which have increasingly exploited newly identified vulnerabilities to execute large-scale cyber-espionage campaigns. Mandiant’s researchers have indicated that UNC5174 sought to monetize access to sensitive systems, specifically targeting defense contractors and governmental institutions.
Given the concurrent warnings from the MSS about foreign hacking groups infiltrating numerous Chinese organizations, it’s evident that cybersecurity remains a critical issue for business operators globally. As cyber threats continue evolving, vigilance and proactive measures will be essential in safeguarding sensitive information against sophisticated adversaries.
